Theme

Security Analyzers

67 analyzers detecting vulnerabilities like SQL injection, XSS, CSRF, command injection, and more.

Overview

Security analyzers focus on identifying and preventing security vulnerabilities in Laravel applications. These analyzers help protect your application from common attacks, ensure secure configuration, validate dependencies, and maintain security best practices throughout your codebase.

Key Analyzers

Critical Vulnerabilities

SQL Injection

Detects potential SQL injection vulnerabilities in database queries

Critical

Pro Column Name SQL Injection

Detects SQL injection vulnerabilities where user input controls column names

Critical

Pro Validation SQL Injection

Detects SQL injection vulnerabilities in validation rules

Critical

Pro Command Injection

Detects command injection vulnerabilities where user input is passed to shell execution functions

Critical

Pro Directory Traversal

Detects path traversal vulnerabilities that allow accessing files outside intended directories

Critical

Pro Remote Code Execution (RCE)

Detects code execution vulnerabilities that allow arbitrary code execution

Critical

Pro Object Injection

Detects unsafe deserialization that can lead to object injection attacks

Critical

Pro Server-Side Request Forgery (SSRF)

Detects SSRF vulnerabilities where user input controls server-side requests

Critical

Pro Eval Usage

Detects dangerous eval usage that can execute arbitrary code

Critical

Pro Extract Function

Detects unsafe extract usage that can overwrite variables

High

Pro XXE Injection Vulnerabilities

Detects XML External Entity injection vulnerabilities

Critical

Pro Regular Expression DoS

Detects ReDoS vulnerabilities from catastrophic backtracking in regex patterns

High

XSS Vulnerabilities

Detects XSS vulnerabilities via code analysis and HTTP header verification

Critical

CSRF Protection

Detects missing CSRF (Cross-Site Request Forgery) protection

Critical

Pro Arbitrary File Upload

Detects file upload vulnerabilities that could lead to remote code execution

Critical

Mass Assignment Vulnerabilities

Detects mass assignment vulnerabilities in Eloquent models and query builders

High

Unguarded Models

Detects Model::unguard() usage that disables mass assignment protection

High

Authentication & Authorization

Authentication & Authorization

Detects missing authentication and authorization protection on routes and controllers

Critical

Login Throttling

Detects missing rate limiting on authentication endpoints to prevent brute force attacks

High

Pro Session Timeout

Ensures session lifetime is configured appropriately for security

Medium

Pro Fortify Security

Validates Laravel Fortify authentication configuration, two-factor auth, password rules, and security settings

High

Pro Passport Security

Validates Laravel Passport OAuth2 configuration, token lifetimes, encryption keys, and security settings

High

Pro Sanctum Security

Validates Laravel Sanctum token configuration, expiration settings, and SPA middleware setup

High

Pro Socialite Security

Validates Laravel Socialite OAuth configuration, credential security, and callback handling

High

Filament Security

Pro Filament Panel Security

Validates Filament admin panel security including authentication, middleware, and access restrictions

High

Pro Filament Resource Authorization

Validates that Filament resources have proper policy bindings for authorization on CRUD operations

High

Pro Filament Tenancy

Validates multi-tenancy scope enforcement in Filament panels to prevent cross-tenant data leakage

High

Pro Filament Custom Pages

Validates that custom Filament pages have proper authorization to prevent unauthorized access

Medium

Pro Filament Form Validation

Validates that Filament form fields have proper validation rules to prevent invalid or malicious input

Medium

Pro Filament Navigation

Validates that Filament navigation groups and items have proper permission gates for visibility control

Medium

Pro Filament Widget Security

Validates that Filament widgets have proper authorization and don't expose sensitive data to unauthorized users

Medium

Payment Security

Pro Cashier Security (Stripe)

Validates Laravel Cashier Stripe webhook verification, key exposure, and payment handling security

High

Pro Cashier Paddle

Validates Laravel Cashier Paddle webhook verification, sandbox detection, and configuration security

High

Configuration & Secrets

Application Key

Validates that the application encryption key is properly configured and secure

Critical

Pro Hardcoded Credentials

Detects hardcoded passwords, API keys, and secrets in source code

Critical

Environment File

Validates .env file security, location, and prevents exposure of sensitive data

Critical

Environment File HTTP Accessibility

Verifies .env file is not accessible via HTTP requests to the web server

Critical

Debug Mode

Detects debug mode enabled and debugging functions that expose sensitive information

Critical

PHP Configuration

Validates that PHP ini settings are configured securely

High

Pro Telescope Security

Ensures Laravel Telescope is properly secured in production

High

Pro Nova Security

Ensures Laravel Nova admin panel is properly secured

High

Pro Horizon Security

Ensures Laravel Horizon dashboard is properly secured

High

Pro Pulse Security

Validates Laravel Pulse dashboard authorization, data retention, and security settings

High

Data Protection

Password Security

Validates password hashing, policy enforcement, plain-text storage, validation rules, and rehash usage

Critical

Cookie Security

Validates cookie encryption and security configuration

Critical

Pro Cookie Domain

Detects unnecessary cookie domain configuration that makes cookies less restrictive

Medium

Fillable Foreign Key

Detects foreign keys in fillable arrays that may allow unauthorized relationship manipulation

High

Pro Cryptographic Weakness

Detects weak cryptographic algorithms and insecure random number generation

High

Compliance & Audit

Pro Audit Logging

Validates that security-sensitive operations have proper audit logging for compliance and incident response

Medium

Pro GDPR Compliance

Validates basic GDPR compliance patterns including data deletion, consent tracking, and encryption at rest

Medium

HTTP Security

Pro Clickjacking Protection

Detects missing clickjacking protection via X-Frame-Options or CSP frame-ancestors

High

HSTS Header

Validates HTTP Strict Transport Security (HSTS) header configuration for HTTPS-only applications

High

Pro MIME Sniffing Protection

Ensures X-Content-Type-Options header prevents MIME type sniffing

Medium

Pro Web Server Fingerprinting

Detects server information leakage through HTTP headers

Low

Pro Host Header Injection

Detects host header injection vulnerabilities that can lead to cache poisoning or password reset attacks

High

Pro CORS Configuration

Validates Cross-Origin Resource Sharing configuration for security, preventing overly permissive API access

High

Pro Route Rate Limiting

Validates that public API endpoints have rate limiting configured to prevent abuse and brute force attacks

Medium

Pro Open Redirection

Detects open redirect vulnerabilities that can be used for phishing attacks

Medium

Frontend & API Security

Pro Livewire Security

Validates Livewire component security including property exposure, authorization checks, and file uploads

High

Pro Reverb Security

Validates Laravel Reverb WebSocket configuration, channel authorization, and SSL/TLS settings

High

Pro Inertia Security

Validates Inertia.js shared data exposure and middleware configuration to prevent sensitive data leakage

Medium

Dependencies & Updates

Vulnerable Dependencies

Scans composer dependencies for known security vulnerabilities

Critical

Frontend Vulnerable Dependencies

Scans npm/yarn dependencies for known security vulnerabilities

Critical

Up-to-Date Dependencies

Checks if dependencies are up-to-date with available bug fixes and security patches

Medium

Stable Dependencies

Validates that all dependencies use stable versions rather than dev/alpha/beta releases

Low

License Compliance

Validates that all dependencies use legally acceptable licenses for your application type

High

File System Security

File Permissions

Validates that project files and directories use secure permissions

Critical

How They Work

Security analyzers use a combination of:

  1. Static Code Analysis: Parses code to detect vulnerable patterns (SQL injection, XSS, mass assignment)
  2. Configuration Validation: Checks Laravel configuration for security settings
  3. Dependency Scanning: Scans Composer and npm/yarn dependencies for known vulnerabilities
  4. File System Checks: Validates file permissions and .env file security
  5. HTTP Header Analysis: Verifies security headers are properly configured

Severity Levels

SeverityDescriptionExamples
CriticalSevere security vulnerabilities that can lead to data breachesSQL injection, XSS, missing authentication, exposed secrets, vulnerable dependencies
HighSignificant security risks that need immediate attentionMass assignment, unguarded models
LowBest practice violations and minor security improvementsUp-to-date dependencies

Running Security Analyzers

Run All Security Analyzers

bash
php artisan shield:analyze --category=security

Run Specific Analyzer

bash
php artisan shield:analyze --analyzer=sql-injection
php artisan shield:analyze --analyzer=xss-vulnerabilities
php artisan shield:analyze --analyzer=mass-assignment-vulnerabilities

Run Multiple Analyzers

bash
php artisan shield:analyze --analyzer=sql-injection,xss-vulnerabilities,csrf-protection

Best Practices

Development

  • Run security analyzers before committing code
  • Fix Critical and High severity issues immediately
  • Never commit secrets or API keys to version control
  • Use environment variables for sensitive configuration

Code Reviews

  • Review security analyzer results in pull requests
  • Ensure new code follows security best practices
  • Validate that authentication and authorization are properly implemented

Production

  • Run security analyzers regularly in production
  • Monitor for new vulnerabilities in dependencies
  • Keep dependencies up-to-date with security patches
  • Review and rotate secrets regularly

CI/CD

  • Run security analyzers on every pull request
  • Fail builds on Critical security issues
  • Scan dependencies for vulnerabilities in CI pipeline
  • Monitor security posture over time

Security Checklist

Before deploying to production, ensure:

  • ✅ Application key is set and secure
  • ✅ Debug mode is disabled
  • ✅ .env file is not accessible via HTTP
  • ✅ File permissions are secure (644 for files, 755 for directories)
  • ✅ All routes have proper authentication/authorization
  • ✅ CSRF protection is enabled on all forms
  • ✅ Clickjacking protection enabled (X-Frame-Options or CSP frame-ancestors)
  • ✅ SQL injection protection (use Eloquent/parameter binding)
  • ✅ XSS protection (escape all user input)
  • ✅ File uploads have MIME type, extension, and size validation
  • ✅ Uploaded files stored in private directories (not publicly executable)
  • ✅ Mass assignment protection (use $fillable/$guarded)
  • ✅ Password hashing uses strong algorithms (bcrypt 12+ rounds or Argon2id)
  • ✅ Dependencies are up-to-date and vulnerability-free
  • ✅ HTTPS is enforced (HSTS header configured)
  • ✅ Cookies are secure (httpOnly, secure flags)
  • ✅ Cookie domain is only set when using subdomain routing
  • ✅ Login throttling is enabled

Copyright © 2026 ShieldCI